Smart Phones Have Not So Smart Security

By Dan Ross, President & CEO, Promisec

Smartphones. They have spurred a global revolution in how we work, play, shop, and relate to one another. They fuel innovation and productivity in astonishing ways, reaching even the most distant and underdeveloped corners of the world. They have empowered the disenfranchised, democratized information sharing, and shined a spotlight on corruption. They are also addictive and pervasive, affecting everything from personal health to public safety. And all of this has happened in less than ten years.

"One of the reasons mobile devices make us so vulnerable to cyber attack is that they are constantly collecting, storing, and transmitting data about us"

By 2020, there will be over 6 billion smartphone users worldwide, compared to the current 2.6 billion smartphone subscriptions. This meteoric growth over the next 5 years will stimulate more positive developments, powering innovations beyond imagination. But there is a downside to the rapid growth of mobile devices, especially when it comes to BYOD programs in the workplace. Long gone are the days when work and play were kept separate, one on a BlackBerry and the other on an iPhone. Because we use smartphones for every kind of communication and computing task all day long the boundaries between business and personal use are blurred and all types of data, including sensitive corporate information, are commingled.

Smartphones are so wildly popular because of the convenience and ease they bring to our daily lives; paying careful attention to security measures or restricting our use goes against our human nature. Of course, we must create and enforce BYOD policies and raise awareness through training—for the sake of personal security and the protection of business networks and assets. But with billions of mobile users and a rapidly proliferating Internet of Things, no amount of policy or training will solve the growing risks created by these devices and their users. The technology itself must be made smarter and more secure. Everything from operating systems to device settings to apps to data to hardware is subject to attack. And each device and platform has proprietary and transparency issues; consumers are left with few truly secure choices. Options that are affordable as well as secure are even more limited.

As of 2015 Q2, Android market share was 82.8percent, iOS 13.9percent, and BlackBerry 0.3percent. Android handsets tend to be more affordable, in part due to the competition among manufacturers. Samsung, Huawei, Xiaomi, and Lenovo are on top for now. Unfortunately, this also means that the more insecure devices, OS, and apps are the most prevalent. The Stagefright security flaws (now identified as two strains) potentially affect over a billion Android users. The flaws make it possible for hackers to take control of a device and steal data, with the trigger being as simple as receiving a text message or auto-playing an audio or video file. Google promptly issued patches, but the device manufacturers are notoriously slow to release updates and consumers are even worse at applying them. A particularly egregious example from earlier this year is Samsung’s pre-installed SwiftKey keyboard. SwiftKey updates over unencrypted lines, leaving devices vulnerable to man-in-the-middle attacks wherein hackers create spoof proxy servers to send malicious code to the devices. Users were not able to download a new keyboard to fix the bug, and because it was tied to the operating system, couldn’t uninstall or disable the vulnerable feature, even if they were using a different keyboard app. Samsung required months to fix the issue, and rollouts to carrier networks were slow and spotty. In the end, even savvy users ready to install patches (not the majority, by the way) were left exposed for half a year.

One of the reasons mobile devices make us so vulnerable to cyber attack is that they are constantly collecting, storing, and transmitting data about us, often without our explicit knowledge or consent. The data layer inherent to apps, web browsers, ecommerce, and social media is a treasure trove of PII, demographics, geo-location data, and online behavioral habits. Companies and marketing organizations are still working through the security and privacy implications of amassing, analyzing, and applying all this consumer data, and a host of regulations have sprung up to protect individuals. But cyber criminals, obviously, operate outside of policy and regulations and are clawing their way through to this invaluable data via multiple attack vectors. Securing this information should be the urgent mandate of any enterprise that uses it. On the other hand, consumers and citizens must be highly vigilant about their personal security and assets, operating always under the assumption that far too much of their information is out of their control and can be used against them.

Finally, the hardware aspect of mobile devices is in itself a huge problem. The wireless mobility, small form factor, and our habitual public use of these devices makes them all too easy to lose or steal. Thanks to security features added to recent models, more users are using screen locks, but those who don’t have left themselves wide open at any point their device is not in hand. Researchers have found ways to remotely manipulate phones by sending radio signals to headphones; these kinds of vulnerabilities will be exploited more frequently as hackers look for new, more sophisticated ways to control mobile devices undetected.

As the infrastructure of smart, connected devices (IoT) begins to take shape, mobile devices will increasingly be used to remotely control machines, read sensors, and activate other consumer devices (e.g., appliances, home security systems). This presents yet another urgent reason to figure out how to lock down mobile devices in the event of loss or theft, and to harden the security of every component from hardware to operating system. The potential consequences of kinetic attacks in the physical world launched via mobile device are gravely alarming and will hopefully prompt more serious reflection and remediation than we’ve seen in the wake of numerous massive PII data breaches.

In the meantime, everything from operating systems to app development to Big Data practices requires greater scrutiny, better planning, and intense testing. Clearly, the development and release of patches needs to be sped up and streamlined. Segmentation of work and personal spaces on each device would ensure that corporate data was more protected and could be more easily controlled by endpoint security solutions and mobile device management products. Vendors should be more transparent with consumers about which apps are accessing data and smartphone functions (e.g., camera, audio recording). They must make it easier in general for users to understand how secure their device is overall, and how to tweak settings for more control and privacy, even if that doesn’t always work in the vendor’s favor.

We are literally all in this together. Our billions of devices are all interconnected, our data is free ranging, the cyber criminals are targeting all of us, and every type and size of business is at risk because of mobile device vulnerabilities. We should expect and demand better products and services, and use security features whenever feasible. Enterprises should already be setting up overarching training, policy, and technology solutions to protect their supply chains, employees, customers, and assets. Any organization that has failed to do so is courting disaster. Mobile security is a growing challenge that can be dealt with now. Make sure to make mobile security a priority so you won’t be left behind or be left exposed.